Malicious PDF — malware analysis report

Static analysis result for SHA-256 7a7fcd8e93f657a6…

MALICIOUS

PDF

218.1 KB Created: 2021-03-08 18:35:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-16
MD5: d4d5f0aaa5f840bbb09c25bf20f61886 SHA-1: 2c20bd65bf35f648efc3993685d4f63202e26777 SHA-256: 7a7fcd8e93f657a652d6a361c5ee38d8254d2de3c49d29a1faa883f69edaf358
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains embedded URLs, one of which is identified as malicious. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though heavily obfuscated, suggests a lure related to 'Asciidoctor cheat sheet pdf'. The presence of embedded URLs points towards a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6131

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/award?keyword=asciidoctor+cheat+sheet+pdf PDF link annotation
    • https://cdn.sqhk.co/kazamepa/CUQjcv7/921128439.pdfIn PDF document text
    • https://cdn.sqhk.co/baxorurifina/ehfggkW/zepavelujozelep.pdfIn PDF document text
    • http://toppiksnack.xyz/desutitira8iof7.pdfIn PDF document text
    • https://cdn.sqhk.co/pibilebomek/ha6Md8h/zivinoxopejevivuxogo.pdfIn PDF document text
    • https://cdn.sqhk.co/kupulifip/iawgd5m/anime_face_maker_go_pro_apk_download.pdfIn PDF document text
    • https://cdn.sqhk.co/kunimanujage/Siigjig/fruit_kingdom_fukushima.pdfIn PDF document text
    • http://sweetygirl.club/inc_and_grow_rich_reviewvlry7.pdfIn PDF document text
    • https://cdn.sqhk.co/xojelumegasi/a8rxMv7/27549994523.pdfIn PDF document text
    • http://easy-money-cash.space/pandora_hearts_caucus_race1pp11.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://povinadoli.epizy.com/10465738244.pdfIn PDF document text
    • https://2f60c0de-bae8-48d8-8f3f-ce7907f87c52.filesusr.com/ugd/badafb_0e1da73ff8844d0b9306ee7201e94d08.pdf?index=trueIn PDF document text
    • http://reduxaxu.epizy.com/27961145349.pdfIn PDF document text
    • https://cf075d60-af7c-4c71-a16c-5c8c125a9bb7.filesusr.com/ugd/cc03df_01cf9de1361047078db3e2978f19fd8d.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/nagudo/what_is_a_dream_upon_waking.pdfIn PDF document text
    • http://jokunikef.epizy.com/40887257813.pdfIn PDF document text
    • https://s3.amazonaws.com/lomogas/chromebook_operating_system_free.pdfIn PDF document text
    • https://bc260b4e-efc2-469d-9102-9c7234992d76.filesusr.com/ugd/b1b3ad_9b9d1d1827bf4d50b8ca8abb0ce08c89.pdf?index=trueIn PDF document text
    • http://kuxiguzemafuj.rf.gd/2018_chargers_uniform_schedule.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002fb77.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2FB77 2872 bytes
SHA-256: 4be1e6352eec5e50790d040c5811efdbf591d3a7d52069ad5c5cef395ea6f639
font_01_sfnt_off000305b3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x305B3 5200 bytes
SHA-256: 7e90fdd1818bd8b5f59946366081c994d08c913a6f62b5d659ee0b50f24a2cc7
font_02_sfnt_off00031760.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x31760 17540 bytes
SHA-256: deeeb4e61e0a5be00578ffc0a3627dd480add9b371f2de93018b24ac1b0319d7
font_03_sfnt_off00034da8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x34DA8 16164 bytes
SHA-256: be3b735bbf46fc9c7bcaec360a9e56ecda5cc5ec3e299160e18f27dd6fc5f4f6

Open this report in the interactive analyzer, or submit your own file for analysis.